The VLAN that the guests will be assigned to on the DMZ controller needs to have a wired-AAA profile associated with it. This AAA profile will have an initial role assigned that contains a captive portal role/profile assigned. The DMZ end of the tunnel should be "untrusted" to trigger the AAA profile assigned to the VLAN. An example configuration (VLAN 666 is the guest VLAN on the DMZ controller)...customize per your needs. The changes are made on the DMZ controller.
interface tunnel 5
description guest-tunnel-5
tunnel source 1.1.1.1
tunnel mode gre 48
tunnel destination 2.2.2.2
tunnel vlan 666
aaa authentication captive-portal dmz-guest-cp
default-role guest-role
server-group cppm-servers
redirect-pause 1
no logout-popup-window
login-page https://clearpass.domain.com/guest/guest.php
user-role dmz-guest-logon
captive-portal dmz-guest-cp
access-list session logon-control
access-list session captiveportal
aaa profile guest-dmz
initial-role dmz-guest-logon
vlan 666 wired aaa-profile dmz-guest-logon